[lmap] Fwd: Kathleen Moriarty's Discuss on draft-ietf-lmap-use-cases-05: (with DISCUSS)
Benoit Claise <bclaise@cisco.com> Mon, 15 December 2014 17:43 UTC
Return-Path: <bclaise@cisco.com>
X-Original-To: lmap@ietfa.amsl.com
Delivered-To: lmap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFEB1A8709 for <lmap@ietfa.amsl.com>; Mon, 15 Dec 2014 09:43:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oexs6Wmqu6QH for <lmap@ietfa.amsl.com>; Mon, 15 Dec 2014 09:43:41 -0800 (PST)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2C401A8714 for <lmap@ietf.org>; Mon, 15 Dec 2014 09:43:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13894; q=dns/txt; s=iport; t=1418665420; x=1419875020; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=lTX+V58xxVkPvdx3DLbNd5J+aup6IBsaNkIVpQ1L3Ak=; b=gX4xedpuPu0dNU4b9+PprmtxGTgXESjI4Q1VfJFkOEUbZZ+A45DW7Cc5 ExexMobwjo16+KC0tzBCFjHGGLrL3Ekik5DSufOuMYJILy32rvpj91Apr Fl4HeMIMpp5Y+I/LRov4NZtGQCFpU77yCnnFxP5sDGz4FUYXDKROfobm3 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgYFAIwcj1StJssW/2dsb2JhbABag1hYgwa5G4k8hXICgTcBAQEBAX2EDAEBAQQjVQ0EHAMBAgoWCwICCQMCAQIBDywCCAYNBgIBAQUSh30DEQ29a5BdDYUyAQEBAQEBAQECAQEBAQEBAQEBAQEXjUqBRhEBLhEYBoJigUEFhR+HDYUUg26BQ4ELMIIughAhhRI6ghmDOCKCMIE9PTABgQuBNwEBAQ
X-IronPort-AV: E=Sophos;i="5.07,581,1413244800"; d="scan'208,217";a="275208477"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 15 Dec 2014 17:43:37 +0000
Received: from [10.60.67.84] (ams-bclaise-8913.cisco.com [10.60.67.84]) by aer-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id sBFHhaDF017580 for <lmap@ietf.org>; Mon, 15 Dec 2014 17:43:36 GMT
Message-ID: <548F1DC8.3080608@cisco.com>
Date: Mon, 15 Dec 2014 18:43:36 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0
MIME-Version: 1.0
To: "lmap@ietf.org" <lmap@ietf.org>
References: <20141203150933.21842.60071.idtracker@ietfa.amsl.com>
In-Reply-To: <20141203150933.21842.60071.idtracker@ietfa.amsl.com>
X-Forwarded-Message-Id: <20141203150933.21842.60071.idtracker@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------060602090300070207050409"
Archived-At: http://mailarchive.ietf.org/arch/msg/lmap/uc9_E-_OHFQd94WRreqGy5Pa_xk
Subject: [lmap] Fwd: Kathleen Moriarty's Discuss on draft-ietf-lmap-use-cases-05: (with DISCUSS)
X-BeenThere: lmap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Large Scale Measurement of Access network Performance <lmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lmap>, <mailto:lmap-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/lmap/>
List-Post: <mailto:lmap@ietf.org>
List-Help: <mailto:lmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lmap>, <mailto:lmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Dec 2014 17:43:44 -0000
FYI. Regards, Benoit -------- Original Message -------- Subject: Kathleen Moriarty's Discuss on draft-ietf-lmap-use-cases-05: (with DISCUSS) Date: Wed, 3 Dec 2014 07:09:33 -0800 From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> To: The IESG <iesg@ietf.org> CC: <draft-ietf-lmap-use-cases@tools.ietf.org>, <lmap-chairs@tools.ietf.org> Kathleen Moriarty has entered the following ballot position for draft-ietf-lmap-use-cases-05: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-lmap-use-cases/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- The draft is well written and easy to read, thank you for that. I just have one concerns I'd like to chat about: Section 3.1, second to last paragraph This discusses the probes nicely in terms of privacy concerns, but leaves out the security concerns that have resulted in any type of probe traffic being blocked in the past. If you are going to leave the privacy concerns in this section, you should also have the security concerns with network mapping and the ability to use this information to assess open ports as well as path information that could be used in the first case to attack/compromise a host or for denial of service attacks for the first and second case. Path information is mentioned in 3.3, so perhaps the DoS mention would be better there and the general security along with the privacy in section 3.1. Later section 5 mentioned the use of an app to gather information from the end user as opposed to their gateway. Security and privacy considerations should be mentioned here as well since they differ from the the probe scenario. I would not recommend going in depth on this topic as this is just the use case document, but rather mentioning it. It would be out-of-scope to get to deep into application security and protections from compromise or the ability to gather privacy information about the user patterns. A high level statement of those concerns is enough (IMO) and can get addressed in the solution documents. Apps and desktop tools can be directly associated with a user as opposed to a home and can lead to desktop compromise, so this is different than the previously mentioned privacy concerns in section 3. I am aware that these types of services are available today via web pages and is up to the user to initiate. Section 7 First bullet I'd keep DoS attacks restricted to the degradation of service and have the points on privacy and business confidentiality listed separately as merging them confusing the points and attack vectors. Both can potentially use information gathered from the probes or the actual management station itself, but in different ways, this isn't clear from the bullet. The DoS could be launched directly from the management station or information about the network and path to hosts could be used to launch a targeted DoS attack. The accuracy of the measurement system mentioned in the last part of the bullet makes sense combined with the Dos Attack. For privacy, you could collect patterns of use to understand user behavior (already in bullet 2). Additionally, one could use the information gathered from probes to determine open ports and potential vulnerabilities that could be used to compromise the end point (security concern). For business confidentiality, I'm not sure what you mean here. Is this referring to an ability to gather endpoint information to monitor along paths for a business? I would assume that the probe traffic will be designed to include innocuous information and will just be used for measurement data. It looks as is the SecDir reviewer had similar concerns with the connections between points made in bullet one, so it would be good to fix this and I hope my above explanation is enough to help you adjust the text and add the additional considerations. I'm happy to help with the text if needed. The suggested text to the SecDir review is helpful, but would need to change to address the additional concerns I raised (thanks for your work on that with Hannes!). http://trac.tools.ietf.org/area/ops/trac/wiki/mib-security The SecDir review had a few other good points for bullet 6 that you have addressed with proposed text and your proposed text is included here for tracking purposes: Part of Hannes' request: * prevent unauthorized access to collected measurement data, * give users the ability to view collected data, * give users the ability to exert control over sharing, and * enforce retention periods. ** Editor's proposed text on all points for bullet 6: 6. a measurement system that does not indicate who is responsible for the collection and processing of personal data and who is responsible for fulfilling the rights of users. The responsible party (often termed the "data controller") should, as good practice, consider issues such as defining:- the purpose for which the data is collected and used; how the data is stored, accessed, and processed; how long it is retained for; and how the end user can view, update, and even delete their personal data. If anonymised personal data is shared with a third party, the data controller should consider the possibility that the third party can de-anonymise it by combining it with other information. .
- [lmap] Fwd: Kathleen Moriarty's Discuss on draft-… Benoit Claise